GET Requests:Infection Chain:
The infection chain starts with a compromised website. In this case the compromised website was injected with the EITest script. It is worth noting that the EITest has gone through some changes over the last couple of weeks. For example, the EITest script is now being obfuscated and encoded. In the most recent example below we can see that the EITest script is now being hex encoded and obfuscated:

Using the replace() method to replace all hyphens with percent signs removes the obfuscation and returns the hex encoded data. The hex encoded data is then decoded via the decodeURIComponent() function and then written to the document with the document.write() function. All this was likely added to the EITest script to evade detection. Here is what the EITest script looks like fully deobfuscated and decoded:

Once the EITest script has been deobfuscated and decoded there is a GET request generated by the script. This GET request will return what I refer to as the EITest SWF Redirect . That Flash file is being hosted at the domain shown in the script above. Another recent change is the lack of a URI for the EITest Flash file and the change in the URI pattern for the gate (/index.php).

Below is the return HTTP traffic containing the EITest Flash file:

The EITest Flash file is used to redirect the host to the EITest gate. Below is the HTML file returned by the EITest gate:

In the source code above we can see a snippet of JavaScript containing the URL for the Rig Exploit Kit landing page. The href property is used to point to the EK landing page.

The return HTTP traffic contains a gzip compressed file. Extracting the file and saving it as a .html or .txt file will allow you to see the code:

The landing page contains some checks as well as the location of the Flash exploit. Here we see the host making a GET request for the Flash exploit:

Finally we see the payload being requested and delivered to the host:

The payload was dropped in %TEMP%:

The same file (but an .exe) was dropped in a newly created folder called “GapeMfijr” but was named “DekJanv.exe”. The file description claims that it is something called “HD Video Converter Factory Pro”. There is also a rather large 20MB file called “RagqEwzo”:

Checking the Registry shows a key being used for persistence. The key can be found in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: